Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 00:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe
-
Size
95KB
-
MD5
d88fe9a05bba5f5ca85574012a8598a5
-
SHA1
0608af788e5364f575ba07eeb09b001fd0d05993
-
SHA256
85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd
-
SHA512
b1121edbcb44a17f77f83f09020f3d1b80711df108a81247397516b9ca29bdd0805d775ae2d52870f2a712f135db7250c71522220df13105c4a50414a8972bc5
-
SSDEEP
1536:nH9W6BrlAyKUB7WAOfSgKi7dTN+qyzcbCWX5AH2JKGOM6bOLXi8PmCofGV:dW6BRVtru5iQCIAHiBDrLXfzoeV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjfkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajecmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijpnfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pflomnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icmegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Figlolbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clmbddgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnennj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiglkle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmbddgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leimip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbhgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oancnfoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbllb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnndlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebgia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Limfed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqhijbog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcpofbjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaheie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinfhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inkccpgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbikgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkpqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmhdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdonb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccbqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebmgcohn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjqiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnace32.exe -
Executes dropped EXE 64 IoCs
pid Process 2784 Hgdbhi32.exe 2480 Hckcmjep.exe 2800 Hnagjbdf.exe 2400 Hlfdkoin.exe 2128 Hhmepp32.exe 2296 Hogmmjfo.exe 2896 Ihoafpmp.exe 2664 Ihankokm.exe 1544 Ihdkao32.exe 1740 Iqopea32.exe 1668 Idmhkpml.exe 1448 Ifnechbj.exe 2160 Jofiln32.exe 1116 Jqfffqpm.exe 2108 Jmmfkafa.exe 2352 Jkbcln32.exe 2972 Joplbl32.exe 1988 Kemejc32.exe 1596 Kaceodek.exe 1308 Kjljhjkl.exe 1232 Kcdnao32.exe 2828 Kiccofna.exe 1632 Kmopod32.exe 1900 Kjcpii32.exe 2348 Lfjqnjkh.exe 2136 Lijjoe32.exe 2468 Logbhl32.exe 2620 Limfed32.exe 2796 Lecgje32.exe 2572 Lefdpe32.exe 2372 Mhdplq32.exe 1904 Mhgmapfi.exe 1844 Mmceigep.exe 1360 Mbpnanch.exe 1188 Mlibjc32.exe 292 Mimbdhhb.exe 2168 Miooigfo.exe 2172 Mpigfa32.exe 780 Nefpnhlc.exe 1260 Nhfipcid.exe 2768 Nncahjgl.exe 400 Ndmjedoi.exe 1096 Nkgbbo32.exe 1160 Nnennj32.exe 1228 Ndpfkdmf.exe 1272 Njlockkm.exe 3044 Nceclqan.exe 2920 Ngpolo32.exe 640 Olmhdf32.exe 1936 Oddpfc32.exe 1500 Ofelmloo.exe 2976 Onmdoioa.exe 2380 Oqkqkdne.exe 2640 Ocimgp32.exe 2928 Ohfeog32.exe 2404 Oqmmpd32.exe 2880 Oclilp32.exe 1348 Ojfaijcc.exe 1800 Omdneebf.exe 2200 Ocnfbo32.exe 2780 Odobjg32.exe 1684 Okikfagn.exe 1328 Pimkpfeh.exe 2872 Pklhlael.exe -
Loads dropped DLL 64 IoCs
pid Process 2188 85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe 2188 85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe 2784 Hgdbhi32.exe 2784 Hgdbhi32.exe 2480 Hckcmjep.exe 2480 Hckcmjep.exe 2800 Hnagjbdf.exe 2800 Hnagjbdf.exe 2400 Hlfdkoin.exe 2400 Hlfdkoin.exe 2128 Hhmepp32.exe 2128 Hhmepp32.exe 2296 Hogmmjfo.exe 2296 Hogmmjfo.exe 2896 Ihoafpmp.exe 2896 Ihoafpmp.exe 2664 Ihankokm.exe 2664 Ihankokm.exe 1544 Ihdkao32.exe 1544 Ihdkao32.exe 1740 Iqopea32.exe 1740 Iqopea32.exe 1668 Idmhkpml.exe 1668 Idmhkpml.exe 1448 Ifnechbj.exe 1448 Ifnechbj.exe 2160 Jofiln32.exe 2160 Jofiln32.exe 1116 Jqfffqpm.exe 1116 Jqfffqpm.exe 2108 Jmmfkafa.exe 2108 Jmmfkafa.exe 2352 Jkbcln32.exe 2352 Jkbcln32.exe 2972 Joplbl32.exe 2972 Joplbl32.exe 1988 Kemejc32.exe 1988 Kemejc32.exe 1596 Kaceodek.exe 1596 Kaceodek.exe 1308 Kjljhjkl.exe 1308 Kjljhjkl.exe 1232 Kcdnao32.exe 1232 Kcdnao32.exe 2828 Kiccofna.exe 2828 Kiccofna.exe 1632 Kmopod32.exe 1632 Kmopod32.exe 1900 Kjcpii32.exe 1900 Kjcpii32.exe 2348 Lfjqnjkh.exe 2348 Lfjqnjkh.exe 2136 Lijjoe32.exe 2136 Lijjoe32.exe 2468 Logbhl32.exe 2468 Logbhl32.exe 2620 Limfed32.exe 2620 Limfed32.exe 2796 Lecgje32.exe 2796 Lecgje32.exe 2572 Lefdpe32.exe 2572 Lefdpe32.exe 2372 Mhdplq32.exe 2372 Mhdplq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ajhgmpfg.exe Adnopfoj.exe File opened for modification C:\Windows\SysWOW64\Bfenbpec.exe Bpleef32.exe File created C:\Windows\SysWOW64\Npagjpcd.exe Nlekia32.exe File created C:\Windows\SysWOW64\Odeiibdq.exe Nkmdpm32.exe File created C:\Windows\SysWOW64\Cilibi32.exe Bmeimhdj.exe File opened for modification C:\Windows\SysWOW64\Ifnechbj.exe Idmhkpml.exe File created C:\Windows\SysWOW64\Biamilfj.exe Bbhela32.exe File created C:\Windows\SysWOW64\Qffmipmp.dll Enfenplo.exe File created C:\Windows\SysWOW64\Kocbkk32.exe Kiijnq32.exe File created C:\Windows\SysWOW64\Aaheie32.exe Qbbhgi32.exe File opened for modification C:\Windows\SysWOW64\Bnkbam32.exe Bhajdblk.exe File opened for modification C:\Windows\SysWOW64\Limfed32.exe Logbhl32.exe File opened for modification C:\Windows\SysWOW64\Fjaonpnn.exe Echfaf32.exe File opened for modification C:\Windows\SysWOW64\Inkccpgk.exe Icfofg32.exe File created C:\Windows\SysWOW64\Jbdonb32.exe Jkjfah32.exe File opened for modification C:\Windows\SysWOW64\Bioqclil.exe Bdbhke32.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Ceodnl32.exe File created C:\Windows\SysWOW64\Ijdqna32.exe Iamimc32.exe File created C:\Windows\SysWOW64\Kmcipd32.dll Kjifhc32.exe File created C:\Windows\SysWOW64\Iddnkn32.dll Jnkpbcjg.exe File created C:\Windows\SysWOW64\Nmpnhdfc.exe Ngfflj32.exe File created C:\Windows\SysWOW64\Acahnedo.dll Ngpolo32.exe File created C:\Windows\SysWOW64\Bldcpf32.exe Bghjhp32.exe File created C:\Windows\SysWOW64\Kcbabf32.dll Eqbddk32.exe File created C:\Windows\SysWOW64\Gljnej32.exe Gepehphc.exe File created C:\Windows\SysWOW64\Lccdel32.exe Lphhenhc.exe File created C:\Windows\SysWOW64\Nhokkp32.dll Ccahbp32.exe File created C:\Windows\SysWOW64\Bjlcgibn.dll Ihdkao32.exe File opened for modification C:\Windows\SysWOW64\Dknekeef.exe Dhpiojfb.exe File created C:\Windows\SysWOW64\Iapebchh.exe Icmegf32.exe File opened for modification C:\Windows\SysWOW64\Odoloalf.exe Onecbg32.exe File created C:\Windows\SysWOW64\Pjldghjm.exe Odoloalf.exe File opened for modification C:\Windows\SysWOW64\Jkbcln32.exe Jmmfkafa.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Ddigjkid.exe File created C:\Windows\SysWOW64\Fepiimfg.exe Fnfamcoj.exe File created C:\Windows\SysWOW64\Lonjma32.dll Iheddndj.exe File opened for modification C:\Windows\SysWOW64\Cmgechbh.exe Cilibi32.exe File opened for modification C:\Windows\SysWOW64\Logbhl32.exe Lijjoe32.exe File created C:\Windows\SysWOW64\Nmnlfg32.dll Cahail32.exe File created C:\Windows\SysWOW64\Ibcidp32.dll Kocbkk32.exe File created C:\Windows\SysWOW64\Bfenfipk.dll Ncbplk32.exe File created C:\Windows\SysWOW64\Ekjajfei.dll Bldcpf32.exe File opened for modification C:\Windows\SysWOW64\Cdgneh32.exe Cahail32.exe File created C:\Windows\SysWOW64\Glgaok32.exe Gjfdhbld.exe File created C:\Windows\SysWOW64\Ccfcekqe.dll Jhngjmlo.exe File opened for modification C:\Windows\SysWOW64\Qbplbi32.exe Pmccjbaf.exe File opened for modification C:\Windows\SysWOW64\Achojp32.exe Amnfnfgg.exe File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe Cddjebgb.exe File created C:\Windows\SysWOW64\Ifiacd32.dll Flehkhai.exe File created C:\Windows\SysWOW64\Mecjiaic.dll Iapebchh.exe File opened for modification C:\Windows\SysWOW64\Kjifhc32.exe Kconkibf.exe File opened for modification C:\Windows\SysWOW64\Nhllob32.exe Ncpcfkbg.exe File opened for modification C:\Windows\SysWOW64\Acfaeq32.exe Aaheie32.exe File opened for modification C:\Windows\SysWOW64\Abbeflpf.exe Alhmjbhj.exe File created C:\Windows\SysWOW64\Cddjebgb.exe Clmbddgp.exe File created C:\Windows\SysWOW64\Kclhicjn.dll Blbfjg32.exe File created C:\Windows\SysWOW64\Gifhnpea.exe Gfhladfn.exe File opened for modification C:\Windows\SysWOW64\Lccdel32.exe Lphhenhc.exe File created C:\Windows\SysWOW64\Nlekia32.exe Nekbmgcn.exe File created C:\Windows\SysWOW64\Bbikgk32.exe Bhdgjb32.exe File created C:\Windows\SysWOW64\Okoafmkm.exe Odeiibdq.exe File opened for modification C:\Windows\SysWOW64\Pqjfoa32.exe Pgbafl32.exe File created C:\Windows\SysWOW64\Cenaioaq.dll Achojp32.exe File created C:\Windows\SysWOW64\Bdbhke32.exe Aadloj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4388 4364 WerFault.exe 354 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hedocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cilibi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onecbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll" Pjbjhgde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Achojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmgahq.dll" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdanpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbokmqie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bejdiffp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceamohhb.dll" Nhllob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnilfo32.dll" Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padajbnl.dll" Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghniakc.dll" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll" Mmneda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfeekif.dll" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikhak32.dll" Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Achojp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dliijipn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milokblc.dll" Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Endhhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioolqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdjfphi.dll" Kjcpii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhokkp32.dll" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcghbk32.dll" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccdbl32.dll" Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll" Oomjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll" Egoife32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmceigep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anafhopc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmgechbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpehocqo.dll" Heglio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmgjljo.dll" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qodlkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll" Melfncqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll" Pkdgpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnkicn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbopgb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2784 2188 85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe 28 PID 2188 wrote to memory of 2784 2188 85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe 28 PID 2188 wrote to memory of 2784 2188 85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe 28 PID 2188 wrote to memory of 2784 2188 85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe 28 PID 2784 wrote to memory of 2480 2784 Hgdbhi32.exe 29 PID 2784 wrote to memory of 2480 2784 Hgdbhi32.exe 29 PID 2784 wrote to memory of 2480 2784 Hgdbhi32.exe 29 PID 2784 wrote to memory of 2480 2784 Hgdbhi32.exe 29 PID 2480 wrote to memory of 2800 2480 Hckcmjep.exe 30 PID 2480 wrote to memory of 2800 2480 Hckcmjep.exe 30 PID 2480 wrote to memory of 2800 2480 Hckcmjep.exe 30 PID 2480 wrote to memory of 2800 2480 Hckcmjep.exe 30 PID 2800 wrote to memory of 2400 2800 Hnagjbdf.exe 31 PID 2800 wrote to memory of 2400 2800 Hnagjbdf.exe 31 PID 2800 wrote to memory of 2400 2800 Hnagjbdf.exe 31 PID 2800 wrote to memory of 2400 2800 Hnagjbdf.exe 31 PID 2400 wrote to memory of 2128 2400 Hlfdkoin.exe 32 PID 2400 wrote to memory of 2128 2400 Hlfdkoin.exe 32 PID 2400 wrote to memory of 2128 2400 Hlfdkoin.exe 32 PID 2400 wrote to memory of 2128 2400 Hlfdkoin.exe 32 PID 2128 wrote to memory of 2296 2128 Hhmepp32.exe 33 PID 2128 wrote to memory of 2296 2128 Hhmepp32.exe 33 PID 2128 wrote to memory of 2296 2128 Hhmepp32.exe 33 PID 2128 wrote to memory of 2296 2128 Hhmepp32.exe 33 PID 2296 wrote to memory of 2896 2296 Hogmmjfo.exe 34 PID 2296 wrote to memory of 2896 2296 Hogmmjfo.exe 34 PID 2296 wrote to memory of 2896 2296 Hogmmjfo.exe 34 PID 2296 wrote to memory of 2896 2296 Hogmmjfo.exe 34 PID 2896 wrote to memory of 2664 2896 Ihoafpmp.exe 35 PID 2896 wrote to memory of 2664 2896 Ihoafpmp.exe 35 PID 2896 wrote to memory of 2664 2896 Ihoafpmp.exe 35 PID 2896 wrote to memory of 2664 2896 Ihoafpmp.exe 35 PID 2664 wrote to memory of 1544 2664 Ihankokm.exe 36 PID 2664 wrote to memory of 1544 2664 Ihankokm.exe 36 PID 2664 wrote to memory of 1544 2664 Ihankokm.exe 36 PID 2664 wrote to memory of 1544 2664 Ihankokm.exe 36 PID 1544 wrote to memory of 1740 1544 Ihdkao32.exe 37 PID 1544 wrote to memory of 1740 1544 Ihdkao32.exe 37 PID 1544 wrote to memory of 1740 1544 Ihdkao32.exe 37 PID 1544 wrote to memory of 1740 1544 Ihdkao32.exe 37 PID 1740 wrote to memory of 1668 1740 Iqopea32.exe 38 PID 1740 wrote to memory of 1668 1740 Iqopea32.exe 38 PID 1740 wrote to memory of 1668 1740 Iqopea32.exe 38 PID 1740 wrote to memory of 1668 1740 Iqopea32.exe 38 PID 1668 wrote to memory of 1448 1668 Idmhkpml.exe 39 PID 1668 wrote to memory of 1448 1668 Idmhkpml.exe 39 PID 1668 wrote to memory of 1448 1668 Idmhkpml.exe 39 PID 1668 wrote to memory of 1448 1668 Idmhkpml.exe 39 PID 1448 wrote to memory of 2160 1448 Ifnechbj.exe 40 PID 1448 wrote to memory of 2160 1448 Ifnechbj.exe 40 PID 1448 wrote to memory of 2160 1448 Ifnechbj.exe 40 PID 1448 wrote to memory of 2160 1448 Ifnechbj.exe 40 PID 2160 wrote to memory of 1116 2160 Jofiln32.exe 41 PID 2160 wrote to memory of 1116 2160 Jofiln32.exe 41 PID 2160 wrote to memory of 1116 2160 Jofiln32.exe 41 PID 2160 wrote to memory of 1116 2160 Jofiln32.exe 41 PID 1116 wrote to memory of 2108 1116 Jqfffqpm.exe 42 PID 1116 wrote to memory of 2108 1116 Jqfffqpm.exe 42 PID 1116 wrote to memory of 2108 1116 Jqfffqpm.exe 42 PID 1116 wrote to memory of 2108 1116 Jqfffqpm.exe 42 PID 2108 wrote to memory of 2352 2108 Jmmfkafa.exe 43 PID 2108 wrote to memory of 2352 2108 Jmmfkafa.exe 43 PID 2108 wrote to memory of 2352 2108 Jmmfkafa.exe 43 PID 2108 wrote to memory of 2352 2108 Jmmfkafa.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe"C:\Users\Admin\AppData\Local\Temp\85643005d4a9ee52ad907bdae523d51eb44b9c658e50f181d39e02e19a9625cd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1232 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe33⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe35⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe36⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe37⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe38⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe39⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe40⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe41⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe43⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe44⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe46⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe47⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe48⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe51⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe52⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe53⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe54⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe55⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe56⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe57⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe58⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe59⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe60⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe62⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe63⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe64⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe65⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe66⤵PID:1664
-
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe67⤵PID:2208
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe68⤵
- Modifies registry class
PID:360 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe69⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe70⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe71⤵PID:828
-
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe75⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe76⤵PID:2452
-
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe78⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe80⤵PID:488
-
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe81⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe82⤵PID:2996
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe83⤵PID:1720
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe84⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe85⤵PID:884
-
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe86⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe87⤵PID:2808
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe88⤵PID:2284
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe89⤵PID:2484
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe91⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe92⤵PID:2448
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe94⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe95⤵PID:1748
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe96⤵
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe97⤵PID:872
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe98⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe99⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe100⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe101⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe103⤵PID:1884
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe106⤵PID:1512
-
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe107⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe108⤵PID:2408
-
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe110⤵PID:2552
-
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe111⤵PID:1712
-
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe112⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe114⤵PID:2772
-
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe115⤵PID:2220
-
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe117⤵PID:1860
-
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe118⤵PID:808
-
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe119⤵PID:1880
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe120⤵PID:2520
-
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe121⤵
- Modifies registry class
PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-